ViewStateUserKey makes ViewState more tamper-resistant

November 17, 2004 8:23 PM Comments [1] Posted in ASP.NET | ViewState

Here's a little-known but very useful no-brainer to add to your ASP.NET application's base Page.

void Page_Init (Object sender, EventArgs e)
{
   if (User.Identity.IsAuthenticated)
      ViewStateUserKey = User.Identity.Name;
}

"What this does is key the view state to an individual using a unique value of your choice.  This option, which is only available in ASP.NET 1.1, is the Page.ViewStateUserKey. This needs to be applied in Page_Init because the key has to be provided to ASP.NET before view state is loaded."

For more good details on preventing tampering and best-practices with ASP.NET, visit Anil John's page on Authentication/Authorization and Defense in Depth.

Tracked by:
"ViewStateUserKey and "Invalid_Viewstate" when posting back during Forms Authent... [Trackback]
Comments [1]
« What are you reading? | Home | Presentation Tips for People running Vir... »
Thursday, November 18, 2004 12:34:20 AM UTC
Always good to share the wealth. Personally I use ViewStateUserKey = Session.SessionID, its the first thing I do when I create a new page.
Andrew Baum
Comments are closed.
Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer’s view in any way.